RSA SecurID Submethod
RSA SecurID is a widely-used two-factor authentication method based on
the use of SecurID Authenticator tokens. In SSH Tectia, support for RSA
SecurID is enabled as a submethod of Keyboard-Interactive authentication.
Please familiarize yourself with the RSA ACE/Server (RSA
Authentication Manager) documentation before reading further.
The prerequisite for enabling SecurID support in SSH Tectia Server is that RSA
ACE/Agent (RSA Authentication Agent) software (installed
also with ACE/Server installation) is installed on the host and that the
SecurID user is able to authenticate using the RSA-provided
sdshell program on this particular agent host. Note that on RSA
ACE/Agent 5.x installations, the RSA-provided ACE/Agent library file is
required. The operating-system-specific file can be found on the RSA
ACE/Agent Authentication API 5.0.x CD-ROM provided with the RSA
ACE/Server 5.0 and 5.1 distributions.
In the instructions below, the /top directory refers to the
RSA ACE/Agent installation directory.
RSA SecurID Plugins
The SecurID plugins are automatically installed with the SSH Tectia Server (M)
package. No separate installation is necessary.
In order to use the v5 SecurID plugin, the RSA-provided ACE/Agent
library file has to be in the library path when the plugin is executed
by SSH Tectia Server. A good way to make sure the v5 plugin finds the library is to
create a symlink pointing to the library (assuming the library is in
/ACEpath/lib/sol/libaceclnt.so):
$ ln -s /ACEpath/lib/sol/libaceclnt.so /usr/lib
The location of the library depends on the platform. Refer to your RSA ACE
documentation.
Configuring SSH Tectia Server for SecurID Support
The server will allow all users to login using SecurID, when the
keyboard-interactive authentication method and its submethod
plugin are listed among the authentication methods and the
AuthKbdInt.Plugin points to the appropriate plugin executable
in the main server configuration file sshd2_config.
To enable RSA SecurID support on the server side, include the following
lines in the /etc/ssh2/sshd2_config file:
AllowedAuthentications keyboard-interactive
...
AuthKbdInt.Optional plugin
AuthKbdInt.Plugin ssh-securidv5-plugin
|
The lines are valid for RSA ACE/Agent 5. For RSA ACE/Agent 4, the
last line should be:
AuthKbdInt.Plugin ssh-securidv4-plugin
|
On the client side, include the following line in the /etc/ssh2/ssh2_config file:
AllowedAuthentications keyboard-interactive
|
In SSH Tectia Client, keyboard-interactive is allowed by default. Note that
the Secure Shell client controls the order in which the authentication
methods are attempted. The least interactive method should usually be
listed first.
However, SSH Tectia Server controls the order of keyboard-interactive submethods. If
several AuthKbdInt.Optional or AuthKbdInt.Required
methods are listed in the sshd2_config file, they should be
specified in the order you wish the client to attempt them.
Using SSH Tectia Server with the SecurID Plugin
Do the following:
- Check that the user's shell is not
/<top>/ace/prog/sdshell before you run the sshd2
daemon.
This will prevent the user from authenticating twice with SecurID, first
when logging in with Secure Shell and a second time when the user is allocated a
shell.
- Check that the
VAR_ACE environment variable is set and
points to the directory that contains the sdconf.rec file). The
variable has to be set before starting sshd2, and its value is
typically /<top>/ace/data.
# export VAR_ACE=/<top>/ace/data
- In case RSA ACE/Agent 5.x is used, ensure that the shared library
file
libaceclnt is found in the library path (for example,
/usr/lib. Alternatively, you could add the directory to your
/etc/ld.so.conf on platforms that use it).
- Restart the server as instructed in Section
Starting the Server.
Note: SSH Communications Security does not provide technical
support on how to configure RSA ACE/Server. Our support only
covers SSH Tectia applications.
